CJEU: EU-US Safe Harbor framework is invalid

The Court of Justice of the European Union (CJEU) has in its decision today declared that transfers of personal data from the EU to the US cannot rely on the Safe Harbor framework agreement.

The Court said that it is for the national Data Protection Authorities (DPAs) to examine, with complete independence, whether the transfer of a person’s data to a third country complies with the requirements laid down by the EU Data Protection Directive.

Max Schrems, who brought the case against Ireland’s DPA said: “There are still a number of alternative options to transfer data from the EU to the US. The judgement makes it clear, that now national data protection authorities can review data transfers to the US in each individual case – while ‘Safe Harbor’ allowed for a blanket allowance. Despite some alarmist comments I don’t think that we will see major disruptions in practice.”

The European Parliament’s Civil Liberties Committee Chair Claude Moraes said: “The decision by the European Court of Justice today, declaring the invalidity of the Safe Harbour agreement, forces the European Commission to act in order to ensure that transatlantic transfers of personal data of EU citizens to companies in the US offer the continuity of protection required by EU law and come up with immediate alternative to Safe Harbour. The Commission has been in negotiations with the US for over a year on improving the framework but we have still received no update on these discussions.”

“The Commission must immediately put forward a new complete and strong framework for transfers of personal data to the US which complies with requirements of EU law as enshrined in the Charter of Fundamental Rights and EU data protection rules and provide our citizens with solid, enforceable data protection rights and effective independent supervision."

Ireland’s High Court is now required to examine Mr Schrems’ complaint to decide whether transfer of the data of Facebook’s European subscribers to the US should be suspended on the ground that the US does not afford an adequate level of protection of personal data.

Helen Dixon, Ireland’s Data Protection Commissioner, today welcomed the ECJ’s decision and stated that she has instructed her legal team to take action to swiftly bring the case back to the High Court. She will also “immediately engage with our colleagues in other national supervisory authorities across Europe to determine how the judgement can be implemented in practice, quickly and effectively, particularly as it impacts on EU/US data transfers.”

The CJEU’s decision has major implications not only for Facebook, the subject of this case, but also for other US Internet companies, such as Google, Apple, Microsoft and Yahoo. They may become subject to investigations by individual EU DPAs if they have not secured personal data in the EU from US surveillance.